Inside the Hunt for Chinese Hackers

The recent report from the security company Mandiant about Chinese hacking practices has been international fodder all week -- for media outlets eager to report and Chinese officials eager to deny. In the process, the firm has found itself in the public spotlight. Dan McWhorter, managing director of Mandiant's threat intelligence unit, discusses the roots of the investigation.

A recent report by Mandiant, a U.S. information security firm, has added a new chapter to the
discussion
about cybersecurity -- and put China on the
defensive. In chronicling the massive, years-long espionage campaign conducted by the People's Liberation Army Unit 61398, the report
implicates
the Chinese government and military, and makes
suspicions about China's cyberwarfare that much more credible.

To get a better understanding of the report and the reaction to it, we are joined by Dan McWhorter, the managing director of Mandiant's threat intelligence unit. McWhorter, who helped compile the report, talks about the six-year investigation of Unit 61398, the Chinese hacking connection to corporate espionage, and how the publicity surrounding the report has raised the profile of his company.

TechNewsWorld: I want to ask you first about the response and the reaction to the report. It's been headline news in US outlets and outlets around the world. It's touched off discussions in politics and military, and now Mandiant is being called out by members of the Chinese inner circle. Cybersecurity firms are increasingly in the news, but I have to imagine that this has nonetheless been pretty heady stuff for you guys the last few days.

Dan McWhorter: It really has. I mean, we're a small company. We only have roughly 300 employees currently, so you know, for the type of splash and reaction we got, for the size of the company it's been fairly impressive. I think it speaks to how widespread the problem is, and that people are starting to grasp more and more the consequences of cyberthreats.

TechNewsWorld: Now, cybersecurity and cyber threats -- this is an increasingly talked-about topic, especially the last few months. In the fall, there was the House Intelligence report about Huawei and ZTE, the Chinese telecommunications companies. Shortly after that, Leon Panetta warned of a "cyber Pearl Harbor," and then even more recently than that President Obama spoke about cybersecurity in the State of the Union address, which is just about as big of a stage as you can have. So this report is definitely adding to a hot debate right now. But I'm curious -- is this a new discussion that we're having about cybersecurity, is that a reflection of a new problem? Or is this something that's been going on for a while and it's only now getting the attention it deserves?

McWhorter: Yeah, it's definitely been going on for awhile. You know, the attention it deserves is probably in direct correlation to the level of pain people feel when it happens. I think since it's happening more and more, and people are becoming more aware, they're starting to realize the financial and economic impacts of this level of espionage that we're seeing.

In particular, in the report -- our company in general has been responding to incidents, computer network incidents, where a hacker or some activity has been done on a network. We've done that for nine years, but this group in particular (Unit 61398) we've been tracking for at least six years, and we see evidence of them going all the way back to 2004 with their activity. So is it new? No. This group has been doing this a long time. They're really the most loud and most prolific of the data theft groups from China that we see. Because we've been tracking them for six years, we were able to provide in our report over 3,000 digital indicators to help people protect and defend themselves against this threat. [*Correction - Feb. 26, 2013]

TechNewsWorld: What was the impetus for doing such an in-depth investigation on this one group? Were you seeing a recurrence of the same sort of tactics? The same sort of espionage? What was it that clued you off that this was something you should focus on?

McWhorter: There are a few different things. One is, there's not much that's changed with the group. We've known them very well for a long time, and so have other security firms. I mean, they've hit broad industries. We list over 20 industries that they've stolen from across 141 different victims. So, we pretty well knew their tactics and knew what they were up to.

But I will say, whenever you go to disclose information to the public, you have to weigh the pros and cons. And in our case, we've almost always taken a very conservative stance that we didn't want -- we track 22 other or 24 other groups, APT (advanced persistent threat) groups, that we believe trace back to China, but we don't release information on them. The reason is, we don't necessarily have an absolute, complete picture. We have a partial picture, a partial understanding, so we don't feel confident releasing that data, because we feel that they'll change their tactics and we'll lose our foothold. And that's sort of the same mentality that the government uses from a national security mindset, when they choose whether to say something or not.

With this group in particular, though, the realization came that we know these guys so well -- front, back, inside and out. We know the systems they've compromised, we know their tools, we know their attackers, we recognize their methodologies, we know their malware. We really felt confident in being able to release the information and not lose our visibility into what the group's doing.

TechNewsWorld: One of the quotes that was picked up on by a lot of different news outlets came from Kevin Mandia, the founder and CEO of Mandiant. He told The New York Times, "Either the attacks are coming from inside Unit 61398, or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about the thousands of people generating attacks in this one neighborhood." So there's really a very direct -- it's not an insinuation, it's really just kind of stating, "There had to have been knowledge about this among the people who control the Chinese Internet, the Chinese government had to have been privy to what was going on." This is something that you have little doubt about in your mind? That it wasn't some isolated group in this building, that it was part of something much larger?

McWhorter: Yeah, I mean, it really comes down to an Occam's Razor argument, and that's where we started -- or actually, that's where we ended up. But you end up with, let's say, 10 pieces of evidence that are very interesting and very solid in their foundation of fact. So you get 10 things that are facts, and then you look at them and you say, "Well, in order to tie all these together, let's consider the different hypotheses." And Occam's Razor basically says, if you can tie all 10 of those together with an obvious answer, in all likelihood it's right -- it's more right than if you have to tie all 10 of them together with very complex, convoluted types of explanations for everything you've witnessed or observed.

And that's really where Kevin gets that. If you take a look at our evidence -- so all of our evidence, all the digital communications keep traveling back to Shanghai -- [there are] over 850 command-and-control servers that they used to attack other infrastructure that we've monitored, and when they connect up to those command-and-control systems ... when we track those communications, 98 percent of the time they go to Shanghai. So that's one piece of evidence.

Take another piece of evidence: You have attackers who are using that same infrastructure to go do personal things that they're not allowed to do within China. So, you know, they log into this attack infrastructure, and while they're attacking organizations, they're off checking their email, they're on Facebook -- so we know these people. We know their names, we know where they live, we know who they work for.

Then there's other things. Look at the longevity. This has been going on for six years, 141 victims just that we can see as a small company, thousands and thousands of documents that have been stolen. And you have to ask yourself: "What kind of organization could do this? How large do you have to be?" Well, someone has to select targets, someone has to keep up the infrastructure, someone needs to figure out what to steal. When you steal terabytes and terabytes of data -- if you had to do that on the forensics side of things, that would take you years to go through terabytes of data. Who's going through this? Who's picking out the nuggets that are useful? I mean, you stole it for a reason; someone's looking at it. How many people does it take to look at this quantity of data? So when you think about the size of the organization -- that's another piece of the puzzle.

So what the Occam's Razor argument comes back to -- and what Kevin alluded to and what we have in our conclusion to the document is -- when you take all of these individual things together, for any one of them, you could likely build up a story....As you build up the evidence, for maybe seven of the 10 pieces of evidence, you could come up with a story that fits that pretty well, but doesn't fit the other three. Maybe for another story, you could get four or five of them to work pretty well but not all 10. But in their entirety, it's almost an absurdity to think about any other option. That's really the basis.

TechNewsWorld: One of the reasons that Huawei and ZTE were deemed suspicious by US officials late last year is their connections to the Chinese military and to the People's Liberation Army. Huawei, of course, was founded by an ex-military officer, and this was a nugget of news that was always cited. Now, with your report, the idea that the Chinese military is so heavily involved in this sort of extensive, hardcore cyber espionage -- it makes those military connections that are both known and suspected that much more interesting when you think back to the Huawei and ZTE suspicions and allegations. Do you have any sense of what kind of corporate espionage might be linked to this PLA operation? Is there any way to know whether corporations like Huawei and ZTE -- if not those in particular, is there any way to know if they were involved or had any sort of connection to this?

McWhorter: There are certainly indications of that. You know, I'm not a political science expert, but one thing to always keep in mind with a communist regime is, the split between industry and government that we're used to seeing in democratic, free market societies is just not there. So we consider government and industry to be very distinct, but they don't; they're one and the same. In fact, most of the boards inside of communist communities report at some level to the government.

So there is a very obvious, natural link there. And as you see all these documents being stolen -- they're very odd documents. Sometimes its obvious. It's a drawing for a new clean energy engine -- okay, that's obvious, they're stealing design specs. But sometimes they steal things that don't make any sense unless you really put your thinking cap on and you think about it. Like, say for instance they steal all the timesheets for all the mechanics in a division. You might say, "Why would you steal that." Well, if you need to produce the same type of product, and you want to understand how much time and energy it takes, and how much manpower it takes, that's very useful information. Anything that brings efficiency to the business and can make them more competitive in global market is what they're interested in.

*ECT News Network editor's note - Feb. 26, 2013: Our original published version of this transcript incorrectly quoted Dan McWhorter as saying that the Mandiant report includes "over 30,000 digital indicators." What he actually says is "3,000 digital indicators." We regret the error.